React2Shell CVE-2025–55182: unauthenticated unsafe deserialization in React Server Components leading to reliable remote code execution via the Flight protocol.
🔗 All exploit payloads, HTTP requests, and detection rules referenced in this article are archived on GitHub:
👉 https://github.com/AdityaBhatt3010/React2Shell-CVE-2025-55182
Lab: https://tryhackme.com/room/react2shellcve202555182
Difficulty: Intermediate → Advanced
Category: Web Exploitation | Deserialization | RCE
Free Article Link
Press enter or click to view image in full size
🧩 Task 1: Introduction — Why React2Shell Is a Big Deal
CVE-2025–55182, nicknamed React2Shell, is one of those vulnerabilities that instantly makes defenders nervous 😬. Discovered in December 2025, it carries a CVSS score of 10.0, which already tells you this isn’t some edge-case bug.
At its core, this vulnerability affects React Server Components (RSC) and frameworks built on top of them — most notably Next.js. The scary part?